Malware-Traffic-Analysis.net - 2014-10-02 - Phishing email

2014-10-02 - PHISHING EMAIL - SUBJECT: JOB IN FINANCIAL SERVICE

ASSOCIATED FILES:

ZIP file of the malware: 2014-10-02-phishing-malware.zip

NOTES:

I couldn't generate any network traffic on the infected VM. I also tried two different sandbox environments without any luck.
If I get the chance, I'll run the malware on a bare-metal host and update this blog post.

PHISHING EMAIL DETAILS

SCREENSHOT:

MESSAGE TEXT:

From: Thane Bradford <builderwork@groupcarreerrr.com>
Reply-To: Thane Bradford <careerwork@careerbuilderr.net>
Date: Thursday, October 2, 2014 at 20:58 UTC
To:
Subject: Job in financial service

Good morning!!!
The companys careerbuilder has a good offer for you. One of the most successful financial service companies is hiring workers and you can be a part of successful team. If you are smart and motivated - send your resume to us.
Our customer offers a practical training period.
The average every year salary varies from 300K to 400K$.
You can get more information from the attachment below this letter.
We appreciate your time. Thank you for reading this info.

Attachment: INFO.zip (244.7 KB)

PRELIMINARY MALWARE ANALYSIS

EMAIL ATTACHMENT:

File name: INFO.zip
File size: 181.1 KB ( 185477 bytes )
MD5 hash: eccf92708f49ac1ec097fae8feb71cde
Detection ratio: 5 / 55
First submission: 2014-10-02 21:36:11 UTC
VirusTotal link: https://www.virustotal.com/en/file/a4660af9d6fdae34ccb7b6b788f6f8b510247d4508ea44d5e1c949de045c8486/analysis/

EXTRACTED MALWARE:

File name: INFO.scr
File size: 312.5 KB ( 320000 bytes )
MD5 hash: 58e3dd640785871be87dbeeb982d4b7a
Detection ratio: 3 / 55
First submission: 2014-10-02 22:10:48 UTC
VirusTotal link: https://www.virustotal.com/en/file/b4c6fa2b61a97269a6e7b244183558d636681127329f5be3ea0c18d7518daa1e/analysis/
Malwr link: https://malwr.com/analysis/ZWY4MTA4YmVlZmNhNDg3Y2EwNDU1Zjk2NGRiN2NiY2Q/

SCREENSHOTS

When running the malware in a Windows 64-bit VM, I got the following error:

I renamed the file to an EXE extension and ran it as an administrator. The malware copied itself to C:\ProgramData\explorer.exe and created the following registry entry in HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run:

FINAL NOTES

Once again, here are the associated files:

ZIP file of the malware: 2014-10-02-phishing-malware.zip

ZIP files are password-protected with the standard password. If you don't know it, look at the "about" page of this website.

Click here to return to the main page.